Leaked Slack bot token — data exfiltration + social engineering

A Slack bot token (xoxb-*) grants the bot's full scope — often channel read, DM read, or user enumeration. Leakage = read access to whatever channels the bot was added to.

The next 60 seconds matter

The attacker reads every channel and DM the bot can see. They extract secrets pasted in channels, PII in private threads, and customer support conversations. For social-engineering: they may post as the bot to trick users.

  • Read every channel the bot is in
  • Read DMs the bot has received
  • Post messages as the bot
  • Exfiltrate workspace user list with emails

Rotation playbook

  1. api.slack.com/apps → (your app) → OAuth & Permissions → Reinstall App
  2. Or: Revoke all tokens via Slack admin panel
  3. Audit Audit Logs in Slack Enterprise for anomalous bot activity

Prevent the next one

  • Use narrow scopes — do not grant channels:history if the bot does not need to read history
  • Rotate bot tokens periodically via app reinstall
  • Use Slack's token expiration if available in your workspace tier
Pattern we scan for
xoxb-{workspace-id}-{bot-id}-{token}